[
https://issues.apache.org/jira/browse/ARTEMIS-3794?focusedWorklogId=788124&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-788124
]
ASF GitHub Bot logged work on ARTEMIS-3794:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 06/Jul/22 03:31
Start Date: 06/Jul/22 03:31
Worklog Time Spent: 10m
Work Description: ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r914382446
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
realTrustStorePassword = trustStorePassword;
} else {
realKeyStorePath =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v ->
useDefaultSslContext ? keyStorePath :
v).filter(Objects::nonNull).findFirst().orElse(null);
- realKeyStorePassword =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null);
+ realKeyStorePassword =
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null));
Review Comment:
This PR enables ENC(...) handling for the
'org.apache.activemq.ssl.keyStorePassword', 'o.a.a.ssl.trustStorePassword',
'javax.net.ssl.keyStorePassword', and 'j.n.ssl.trustStorePassword' system
property values. The connector URL 'keyStorePassword' and 'trustStorePassword'
query string handling is unchanged as these values already are decrypted as
needed through the ConfigurationHelper#getPasswordProperty(...) method in lines
401 and 409.
The system properties obviously aren't part of the 'configuration' Map so
the ConfigurationHelper#getPasswordProperty(...) method can't be used directly.
The processSslPasswordProperty(...) method duplicates the behavior of calling
getPasswordProperty(...) using the same
ActiveMQDefaultConfiguration.getPropMaskPassword() and .getPropPasswordCodec()
used for the connector URL password handling for the 'keyStorePassword' and
'trustStorePassword'.
Hopefully, that makes more sense as to the intent. ARTEMIS-3794 is just a
JIRA I saw similar to the AMQP broker connection user and password attribute
encryption handling.
Issue Time Tracking
-------------------
Worklog Id: (was: 788124)
Time Spent: 2h (was: 1h 50m)
> "org.apache.activemq.ssl.keyStorePassword" and
> "org.apache.activemq.ssl.trustStorePassword" system properties should support
> ENC(...) format
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-3794
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3794
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 2.19.1
> Reporter: Apache Dev
> Priority: Major
> Time Spent: 2h
> Remaining Estimate: 0h
>
> In order to set client keyStore/trustStore passwords, overriding those
> obtained by topology updates from brokers (see ARTEMIS-1157), we need to set
> system properties.
> Such properties could be logged in traces or be present in dumps.
> It would be a more secure practice to handle ENC(...) format to mask them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
